The U.S. Food and Drug Administration (FDA) has issued an updated draft guidance that contains recommendations for medical device manufacturers on ensuring the security of their devices from cyberattacks.
Published in the U.S. Federal Register, the updated draft guidance, “Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions,” provides recommendations on security measures that manufacturers should consider across a device’s entire lifecycle. Some specific recommendations include:
- Adopting a secure product development framework to help reduce the number and potential impact of cybersecurity vulnerabilities during the useful life of a device;
- Developing a software bill of materials to track both manufacturer-developed and third-party device and device software components; and
- Ensuring that devices can be updated as necessary to protect against emerging threats.
The draft guidance also encourages device manufacturers to include documentation regarding cybersecurity protections as part of most FDA premarket submission applications, including 510(k) and PMA submissions.
Public comments on the draft guidance can be submitted through July 7, 2022 via the Regulations.gov website (reference Docket ID FDA-2021-D-1158).